Thanks Marty. Assuming, I'm doing everything else in my call alright, I'm sure that's it. The connect-src is 'self'. The security violation message I get refers to na15.salesforce.com, even though I'm not at that URL. I'll update the question with more details. I'm guessing the Salesforce URLs need to be whitelisted.
– Peter KnolleNov 6 '14 at 1:58

5 Answers
5

Marty is correct, although I would like to temper the description of this being "unfortunate" a bit with some background on why the security policy is in place. In order for us to satisfy our internal security audits and architectural reviews which allowed us, for the first time ever in our presentation layer, to provide a supported mechanism to allow salesforce authored code and customer/ISV/partner authored code to coexist in the same JavaScript space we had to tighten things down significantly. Here are some of the things currently enforced:

Content security policy, or CSP, a relatively new browser technology that allows us to have fine-grained control over access to all external references to scripts, images, stylesheets, etc. Our policy is extremely restrictive right now and not extensible but we had plans to open up a white listing capability in the near future.

Lightning applications are served from a separate domain in much the same manner that visual force pages are today. The difference here is that you are actually in the same application, running right next to our client-side code and not relegated to live in an iframe silo. Those silos have presented significant challenges around producing high performance, high fidelity, engaging user experiences that integrates directly into core salesforce functionality for many years.

The lightning application separate domain also uses a special lightning session ID that does not have direct API access. The fact that you can currently provide indirect access to a fully API capable session ID is a great example of why our content security policy is currently so restrictive. Leaking an API said back to the client in a way that malicious JavaScript can easily steal is precisely why we have things locked down so tightly today. What should happen if you attempted to serialize an API session ID from an apex controller? That session ID is supposed to be the same restricted access Aura session ID but we apparently have a leak in that underlying logic. Our belt and suspenders approach with CSP combined with serving from a separate domain actually thwarted this potential attack.

Why did we do these things? Most of it boils down to "protect Setup". Without these safeguards in place is almost trivial for malicious client side code to gain height and privileges and access to administrative level functionality by remote controlling the setup user interface Also, much of what we have done so far represent cross site scripting (XSS) attack countermeasures.

There is definitely much more to the story but hopefully this gives you some of the back story to better understand our decisions and direction. This is not the end, rather just the beginning, and we are hard at work on improving and refining our approach to balancing the security requirements that we have to satisfy along with providing all of you with the tools that you need to build what you want.

Thanks for the detailed and insightful explanation, Doug. Can you confirm two things: Right now, for developers (myself included) who need to be able to access the Salesforce REST API in our apps, is going through Apex the only way? And when you say "leak in that underlying logic", are you referring to the fact that going through Apex is currently possible but something that will be blocked in a future release or critical update?
– Marty C.Nov 6 '14 at 16:43

Hi @MartyC. and Doug - I raised a followup question here salesforce.stackexchange.com/questions/68124/… - would be very important to learn if the API will be lightnified sooner or later. Without API several great patterns we love and need in Visualforce will not work in Lightning.
– Uwe HeimMar 4 '15 at 14:21

Peter, the unfortunate answer (I think) is that based on how Lightning currently works in Winter '15, we may not have a direct way of connecting to any of Salesforce's REST APIs. As a workaround, it appears that you can leverage Apex as a conduit to the REST APIs.

The approach can be summarized as follows:

Create an Apex client for the REST API

Create an Apex controller for your Lightning app

Create your Lightning app, and bind it to the controller

Specify an init handler for your app

Configure the handler to enqueue the Apex controller's action to execute the REST API operation

I believe this is the only approach supported because of the CSP rules. I'm investigating but it seems you need to use the Apex controller.
– Enrico MurruNov 6 '14 at 13:22

3

This definitely no longer works, the sessions Id generated by UserInfo.getSessionId() when the apex is running in the lightning context, returns this response:[{"message":"This session is not valid for use with the REST API","errorCode":"INVALID_SESSION_ID"}]
– EvanFeb 18 '16 at 21:57

@Marty C., will we need a Remote End Point setup in user org pointing to the current domain name of the org, in this approach?
– VarunCJan 10 '17 at 14:20

In 2015, Raja Rao wrote a Salesforce Developer Relations blog post explaining how you could host a VisualForce page in an iFrame and embed that in a Lightning Component, while passing messages back and forth using HTML5 postMessage.

This is intentional at this time. There's no official/supported way to get an API-capable session ID in Lightning Components. Again, this is by design.

With only a little creativity and cleverness you can create a bare-bones Visualforce page with {! $Api.SessionID }, and then call getContent(thatPage) from Apex to get a page that contains an API-capable session ID, which you should be able to parse out easily enough.

From there, it's not hard to pass that session ID along to Lightning Components via an @AuraEnabled method.

But let's be clear: this is a hack, the performance will be poor, and there's good reasons to keep an API-capable session ID out of your Lightning Components code.